DOCSLIB.ORG

An Overview on the Static Code Analysis Approach in Software Development

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

An overview on the Static Code Analysis approach in Software Development Ivo Gomes 1, Pedro Morgado 1, Tiago Gomes 1, Rodrigo Moreira 2, 1 Software Testing and Quality, Master in Informatics and Computing Engineering, 2 Software Testing and Quality, Doctoral Program in Informatics Engineering, Faculdade de Engenharia da Universidade do Porto, Rua Dr. Roberto Frias 4200-465, Porto, Portugal {ei05021, ei05051, ei05080, pro08007}@fe.up.pt Abstract. Static analysis examines program code and reasons over all possible behaviors that might arise at run time. Tools based on static analysis can be used to find defects in programs. Recent technology advances has brought forward tools that do deeper analyses that discover more defects and produce a limited amount of false warnings. The aim of this work is to succinctly describe static code analysis, its features and potential, giving an overview of the concepts and technologies behind this type of approach to software development as well as the tools that enable the usage of code reviewing tools to aid programmers in the development of applications, thus being able to improve the code and correct errors before an actual execution of the code. Keywords: static analysis, code review, code inspection, source code, bugs, dynamic analysis, software testing, manual review. 1 Introduction The use of analytical methods to review source code in order to correct implementation bugs is, and has been, one of the backbone pillars behind software development. In the beginning of software development there was no conscience on how necessary and effective a review might be, but in the 1970’s, formal review and inspections were recognized as important to productivity and product quality, and thus were adopted by development projects [1]. This new approach to software development acknowledges defect removal in the early stages of the development process proved to produce more reliable and efficient programs. Fagan’s definition of error detection efficiency is as follows [2]: ͹ΠΠΝΠΡ ΔΝΣΜΒ ΐΧ ΏΜ ΗΜΞΓΑ΢ΗΝΜ Error Detection EfLiciency = × 100 . (1) ΈΝ΢ΏΚ ΓΠΠΝΠΡ ΗΜ ΢ΖΓ ΞΠΝΒΣΑ΢ ΐΓΔΝΠΓ ΗΜΡΞΓΑ΢ΗΝΜ So, as far as source code is concerned, it is in the best interest of the programmer to take advantage of static analysis. Although this does not imply that other forms of software analysis should be discouraged, on the contrary, the best way to certify that an implementation has the least amount of errors or defects is by combining both the static and the dynamic measures of analysis. The static analysis approach is meant to review the source code, checking the compliance of specific rules, usage of arguments and so forth; the dynamic approach is essentially executing the code, running the program and dynamically checking for inconsistencies of the given results. This means that testing and reviewing code are separate and distinguishable things, but it is unadvised that one should occur without the other, and it is also arguable as to what should be done first, testing or reviewing software [3]. This work focuses on the description of the static methods of analysis, with a special attention to the available tools in the market that provide this kind of service. This paper is organized in the following sections: Section 1, this current section, introduced the static analysis approach; Section 2 will describe a relative brief overview of static analysis, followed by the description of the most common methods of code reviewing done by humans: self review, walkthrough, peer review, inspection and audit. In order to ascertain the truly fundamental qualities of static code analysis and more importantly, to distinguish them from the dynamical testing approaches, Section 3 will describe the advantages and disadvantages regarding static analysis. A comprehensive comparison between code review and testing shall explain why the usage of just one of them is discouraged; Section 4 will summarize a listing of the most popular software tools that are capable of performing this type of code analysis which shall be followed by a comparison between some aspects of these tools; a further evaluation of these tools is described in Section 5; in Section 6 will feature some possible enhancements to be performed on such tools; and finally Section 7 will express a discussion over static code analysis tools in software development. 2 Overview of the Static Analysis approach Static code analysis is the analysis of computer software which is performed without the actual execution of the programs built from that software, as opposite of dynamic analysis (testing software by executing programs). For the majority of cases the analysis is performed on some version of the source code and in the other cases some form of the object code. The term is usually applied to the analysis performed by an automated software tool, with human analysis being called program understanding, program comprehension or code inspection. It can be argued that software metrics and reverse engineering are forms of static analysis, but such discussion is not the aim of this work. Programmers make little mistakes all the time, like a missing semicolon here, an extra parenthesis there, and so on. Most of the time these gaffes are inconsequential, the compiler notes the error, the programmer fixes the code, and the development process continues. However, this quick cycle of feedback and response normally does not apply to most security vulnerabilities, which can lie dormant for an indefinite amount of time before discovery. As explained earlier, the longer a defect on the software lies dormant, the more expensive it can be to fix [4]. The promise of static analysis is to identify many common coding problems automatically before a program is released. Static analysis aims to examine the text of a program statically, without attempting to execute it. Theoretically, static analysis tools can examine either a program’s source code or a compiled form of the program to equal benefit, although the problem of decoding the latter can be difficult [4]. 2.1 Manual Review Manual reviewing or auditing is a form of static analysis, very time-consuming, and to perform it effectively, human code auditors must first know what type of errors there are supposed to find before they can rigorously examine the code. The reviewing of an application’s code can be done in any phase of software development, but the best results are when this is done at an early stage, because the costs and risk of detecting and correcting security vulnerabilities and quality defects late in the software development process can be high. When those bugs escape into the market and are discovered by customers, the fallout can affect the bottom line and damage reputations [5]. Reviewing includes not only the code, but all documentation, requirements and designs the developer produces, everything is susceptible of being review, because there can be errors hidden in every step of software development. Basically, static code analysis performed by humans can be divided in two major categories: self reviews and 3 rd party reviews, which are tightly related to the Personal Software Process and the Team Software Process [6]. In the picture below, the initial phase shows the actual implementing of the code, which obviously isn’t any type of static analysis. Following is the self review of the written code, where the programmer tries to evaluate and correct by himself the code he implemented. The walkthrough focuses on the presentation to an audience of the code in question by its programmer. The peer review is when the programmer presents his code to a colleague to review. Finally the inspection and audit , which is usually done by a third party of evaluators, the audit being the highest formal review [5]. Fig. 1. Flow of types of reviews that increase formality. The best way to detect and correct bugs in an early stage of development is when the programmer himself performs the review and tries to find and correct problems in his code, this is commonly known as self review. In every programmer there should be a sense of personal responsibility in his implementations, and as such, it is always a good idea to try and keep track of the most common mistakes he does. This way in time it will become easier to prevent repeating them once again. There are some guidelines as to how to perform a proper self review: producing reviewable items (code, design, specifications, etc.); trying not to review code on screen, to circumvent the tendency to correct bugs as they are found; not reviewing the code right after it is written; to follow a structured review process; create personal checklists of the most common mistakes; taking enough time to review the code, so as to be certain that everything is as it should be (usually half the time it was required to write the code is more than enough to properly review it) [7]. The team review process can be a bit more complex, and there several different steps in reviewing software as a group of people. An interesting method is the walkthrough, in which the developer explains his code and ideas to an audience, being subject to their criticism. In addition, there are formal requisites to perform static reviews of code. This kind of group review can be achieved with a before-after technique, meaning there is a necessity of a review plan prior to the review (assembled by the leading reviewer) and a review report that contains all the results. The components of a formal review plan are: the review goals, the collection of items being reviewed, a set of preconditions for the review, roles, team size, participants, training requirements, review steps and procedures, checklists and other related documents to be distributed to participants, the time requirements, the nature of the review log and summary report, and rework and follow-up criteria and procedures.
Recommended publications
  • Executable Code Is Not the Proper Subject of Copyright Law a Retrospective Criticism of Technical and Legal Naivete in the Apple V

    Executable Code Is Not the Proper Subject of Copyright Law a Retrospective Criticism of Technical and Legal Naivete in the Apple V

    Executable Code is Not the Proper Subject of Copyright Law A retrospective criticism of technical and legal naivete in the Apple V. Franklin case Matthew M. Swann, Clark S. Turner, Ph.D., Department of Computer Science Cal Poly State University November 18, 2004 Abstract: Copyright was created by government for a purpose. Its purpose was to be an incentive to produce and disseminate new and useful knowledge to society. Source code is written to express its underlying ideas and is clearly included as a copyrightable artifact. However, since Apple v. Franklin, copyright has been extended to protect an opaque software executable that does not express its underlying ideas. Common commercial practice involves keeping the source code secret, hiding any innovative ideas expressed there, while copyrighting the executable, where the underlying ideas are not exposed. By examining copyright’s historical heritage we can determine whether software copyright for an opaque artifact upholds the bargain between authors and society as intended by our Founding Fathers. This paper first describes the origins of copyright, the nature of software, and the unique problems involved. It then determines whether current copyright protection for the opaque executable realizes the economic model underpinning copyright law. Having found the current legal interpretation insufficient to protect software without compromising its principles, we suggest new legislation which would respect the philosophy on which copyright in this nation was founded. Table of Contents INTRODUCTION................................................................................................. 1 THE ORIGIN OF COPYRIGHT ........................................................................... 1 The Idea is Born 1 A New Beginning 2 The Social Bargain 3 Copyright and the Constitution 4 THE BASICS OF SOFTWARE ..........................................................................
  • The LLVM Instruction Set and Compilation Strategy

    The LLVM Instruction Set and Compilation Strategy

    The LLVM Instruction Set and Compilation Strategy Chris Lattner Vikram Adve University of Illinois at Urbana-Champaign lattner,vadve ¡ @cs.uiuc.edu Abstract This document introduces the LLVM compiler infrastructure and instruction set, a simple approach that enables sophisticated code transformations at link time, runtime, and in the field. It is a pragmatic approach to compilation, interfering with programmers and tools as little as possible, while still retaining extensive high-level information from source-level compilers for later stages of an application’s lifetime. We describe the LLVM instruction set, the design of the LLVM system, and some of its key components. 1 Introduction Modern programming languages and software practices aim to support more reliable, flexible, and powerful software applications, increase programmer productivity, and provide higher level semantic information to the compiler. Un- fortunately, traditional approaches to compilation either fail to extract sufficient performance from the program (by not using interprocedural analysis or profile information) or interfere with the build process substantially (by requiring build scripts to be modified for either profiling or interprocedural optimization). Furthermore, they do not support optimization either at runtime or after an application has been installed at an end-user’s site, when the most relevant information about actual usage patterns would be available. The LLVM Compilation Strategy is designed to enable effective multi-stage optimization (at compile-time, link-time, runtime, and offline) and more effective profile-driven optimization, and to do so without changes to the traditional build process or programmer intervention. LLVM (Low Level Virtual Machine) is a compilation strategy that uses a low-level virtual instruction set with rich type information as a common code representation for all phases of compilation.
  • Studying the Real World Today's Topics

    Studying the Real World Today's Topics

    Studying the real world Today's topics Free and open source software (FOSS) What is it, who uses it, history Making the most of other people's software Learning from, using, and contributing Learning about your own system Using tools to understand software without source Free and open source software Access to source code Free = freedom to use, modify, copy Some potential benefits Can build for different platforms and needs Development driven by community Different perspectives and ideas More people looking at the code for bugs/security issues Structure Volunteers, sponsored by companies Generally anyone can propose ideas and submit code Different structures in charge of what features/code gets in Free and open source software Tons of FOSS out there Nearly everything on myth Desktop applications (Firefox, Chromium, LibreOffice) Programming tools (compilers, libraries, IDEs) Servers (Apache web server, MySQL) Many companies contribute to FOSS Android core Apple Darwin Microsoft .NET A brief history of FOSS 1960s: Software distributed with hardware Source included, users could fix bugs 1970s: Start of software licensing 1974: Software is copyrightable 1975: First license for UNIX sold 1980s: Popularity of closed-source software Software valued independent of hardware Richard Stallman Started the free software movement (1983) The GNU project GNU = GNU's Not Unix An operating system with unix-like interface GNU General Public License Free software: users have access to source, can modify and redistribute Must share modifications under same
  • Chapter 1 Introduction to Computers, Programs, and Java

    Chapter 1 Introduction to Computers, Programs, and Java

    Chapter 1 Introduction to Computers, Programs, and Java 1.1 Introduction • The central theme of this book is to learn how to solve problems by writing a program . • This book teaches you how to create programs by using the Java programming languages . • Java is the Internet program language • Why Java? The answer is that Java enables user to deploy applications on the Internet for servers , desktop computers , and small hand-held devices . 1.2 What is a Computer? • A computer is an electronic device that stores and processes data. • A computer includes both hardware and software. o Hardware is the physical aspect of the computer that can be seen. o Software is the invisible instructions that control the hardware and make it work. • Computer programming consists of writing instructions for computers to perform. • A computer consists of the following hardware components o CPU (Central Processing Unit) o Memory (Main memory) o Storage Devices (hard disk, floppy disk, CDs) o Input/Output devices (monitor, printer, keyboard, mouse) o Communication devices (Modem, NIC (Network Interface Card)). Bus Storage Communication Input Output Memory CPU Devices Devices Devices Devices e.g., Disk, CD, e.g., Modem, e.g., Keyboard, e.g., Monitor, and Tape and NIC Mouse Printer FIGURE 1.1 A computer consists of a CPU, memory, Hard disk, floppy disk, monitor, printer, and communication devices. CMPS161 Class Notes (Chap 01) Page 1 / 15 Kuo-pao Yang 1.2.1 Central Processing Unit (CPU) • The central processing unit (CPU) is the brain of a computer. • It retrieves instructions from memory and executes them.
  • Java Programming Standards & Reference Guide

    Java Programming Standards & Reference Guide

    Java Programming Standards & Reference Guide Version 3.2 Office of Information & Technology Department of Veterans Affairs Java Programming Standards & Reference Guide, Version 3.2 REVISION HISTORY DATE VER. DESCRIPTION AUTHOR CONTRIBUTORS 10-26-15 3.2 Added Logging Sid Everhart JSC Standards , updated Vic Pezzolla checkstyle installation instructions and package name rules. 11-14-14 3.1 Added ground rules for Vic Pezzolla JSC enforcement 9-26-14 3.0 Document is continually Raymond JSC and several being edited for Steele OI&T noteworthy technical accuracy and / PD Subject Matter compliance to JSC Experts (SMEs) standards. 12-1-09 2.0 Document Updated Michael Huneycutt Sr 4-7-05 1.2 Document Updated Sachin Mai L Vo Sharma Lyn D Teague Rajesh Somannair Katherine Stark Niharika Goyal Ron Ruzbacki 3-4-05 1.0 Document Created Sachin Sharma i Java Programming Standards & Reference Guide, Version 3.2 ABSTRACT The VA Java Development Community has been establishing standards, capturing industry best practices, and applying the insight of experienced (and seasoned) VA developers to develop this “Java Programming Standards & Reference Guide”. The Java Standards Committee (JSC) team is encouraging the use of CheckStyle (in the Eclipse IDE environment) to quickly scan Java code, to locate Java programming standard errors, find inconsistencies, and generally help build program conformance. The benefits of writing quality Java code infused with consistent coding and documentation standards is critical to the efforts of the Department of Veterans Affairs (VA). This document stands for the quality, readability, consistency and maintainability of code development and it applies to all VA Java programmers (including contractors).
  • Devsecops in Reguated Industries Capgemini Template.Indd

    Devsecops in Reguated Industries Capgemini Template.Indd

    DEVSECOPS IN REGULATED INDUSTRIES ACCELERATING SOFTWARE RELIABILITY & COMPLIANCE TABLE OF CONTENTS 03... Executive Summary 04... Introduction 07... Impediments to DevSecOps Adoption 10... Playbook for DevSecOps Adoption 19... Conclusion EXECUTIVE SUMMARY DevOps practices enable rapid product engineering delivery and operations, particularly by agile teams using lean practices. There is an evolution from DevOps to DevSecOps, which is at the intersection of development, operations, and security. Security cannot be added after product development is complete and security testing cannot be done as a once-per-release cycle activity. Shifting security Left implies integration of security at all stages of the Software Development Life Cycle (SDLC). Adoption of DevSecOps practices enables faster, more reliable and more secure software. While DevSecOps emerged from Internet and software companies, it can benefit other industries, including regulated and high security environments. This whitepaper covers how incorporating DevSecOps in regulated Industries can accelerate software delivery, reducing the time from code change to production deployment or release while reducing security risks. This whitepaper defines a playbook for DevSecOps goals, addresses challenges, and discusses evolving workflows in DevSecOps, including cloud, agile, application modernization and digital transformation. Bi-directional requirement traceability, document generation and security tests should be part of the CI/CD pipeline. Regulated industries can securely move away
  • Undefined Behaviour in the C Language

    Undefined Behaviour in the C Language

    FAKULTA INFORMATIKY, MASARYKOVA UNIVERZITA Undefined Behaviour in the C Language BAKALÁŘSKÁ PRÁCE Tobiáš Kamenický Brno, květen 2015 Declaration Hereby I declare, that this paper is my original authorial work, which I have worked out by my own. All sources, references, and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Vedoucí práce: RNDr. Adam Rambousek ii Acknowledgements I am very grateful to my supervisor Miroslav Franc for his guidance, invaluable help and feedback throughout the work on this thesis. iii Summary This bachelor’s thesis deals with the concept of undefined behavior and its aspects. It explains some specific undefined behaviors extracted from the C standard and provides each with a detailed description from the view of a programmer and a tester. It summarizes the possibilities to prevent and to test these undefined behaviors. To achieve that, some compilers and tools are introduced and further described. The thesis contains a set of example programs to ease the understanding of the discussed undefined behaviors. Keywords undefined behavior, C, testing, detection, secure coding, analysis tools, standard, programming language iv Table of Contents Declaration ................................................................................................................................ ii Acknowledgements .................................................................................................................. iii Summary .................................................................................................................................
  • Parasoft Dottest REDUCE the RISK of .NET DEVELOPMENT

    Parasoft Dottest REDUCE the RISK of .NET DEVELOPMENT

    Parasoft dotTEST REDUCE THE RISK OF .NET DEVELOPMENT TRY IT https://software.parasoft.com/dottest Complement your existing Visual Studio tools with deep static INCREASE analysis and advanced PROGRAMMING EFFICIENCY: coverage. An automated, non-invasive solution that the related code, and distributed to his or her scans the application codebase to iden- IDE with direct links to the problematic code • Identify runtime bugs without tify issues before they become produc- and a description of how to fix it. executing your software tion problems, Parasoft dotTEST inte- grates into the Parasoft portfolio, helping When you send the results of dotTEST’s stat- • Automate unit and component you achieve compliance in safety-critical ic analysis, coverage, and test traceability testing for instant verification and industries. into Parasoft’s reporting and analytics plat- regression testing form (DTP), they integrate with results from Parasoft dotTEST automates a broad Parasoft Jtest and Parasoft C/C++test, allow- • Automate code analysis for range of software quality practices, in- ing you to test your entire codebase and mit- compliance cluding static code analysis, unit testing, igate risks. code review, and coverage analysis, en- abling organizations to reduce risks and boost efficiency. Tests can be run directly from Visual Stu- dio or as part of an automated process. To promote rapid remediation, each problem detected is prioritized based on configur- able severity assignments, automatical- ly assigned to the developer who wrote It snaps right into Visual Studio as though it were part of the product and it greatly reduces errors by enforcing all your favorite rules. We have stuck to the MS Guidelines and we had to do almost no work at all to have dotTEST automate our code analysis and generate the grunt work part of the unit tests so that we could focus our attention on real test-driven development.
  • Parasoft Static Application Security Testing (SAST) for .Net - C/C++ - Java Platform

    Parasoft Static Application Security Testing (SAST) for .Net - C/C++ - Java Platform

    Parasoft Static Application Security Testing (SAST) for .Net - C/C++ - Java Platform Parasoft® dotTEST™ /Jtest (for Java) / C/C++test is an integrated Development Testing solution for automating a broad range of testing best practices proven to improve development team productivity and software quality. dotTEST / Java Test / C/C++ Test also seamlessly integrates with Parasoft SOAtest as an option, which enables end-to-end functional and load testing for complex distributed applications and transactions. Capabilities Overview STATIC ANALYSIS ● Broad support for languages and standards: Security | C/C++ | Java | .NET | FDA | Safety-critical ● Static analysis tool industry leader since 1994 ● Simple out-of-the-box integration into your SDLC ● Prevent and expose defects via multiple analysis techniques ● Find and fix issues rapidly, with minimal disruption ● Integrated with Parasoft's suite of development testing capabilities, including unit testing, code coverage analysis, and code review CODE COVERAGE ANALYSIS ● Track coverage during unit test execution and the data merge with coverage captured during functional and manual testing in Parasoft Development Testing Platform to measure true test coverage. ● Integrate with coverage data with static analysis violations, unit testing results, and other testing practices in Parasoft Development Testing Platform for a complete view of the risk associated with your application ● Achieve test traceability to understand the impact of change, focus testing activities based on risk, and meet compliance
  • Architectural Support for Scripting Languages

    Architectural Support for Scripting Languages

    Architectural Support for Scripting Languages By Dibakar Gope A dissertation submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy (Electrical and Computer Engineering) at the UNIVERSITY OF WISCONSIN–MADISON 2017 Date of final oral examination: 6/7/2017 The dissertation is approved by the following members of the Final Oral Committee: Mikko H. Lipasti, Professor, Electrical and Computer Engineering Gurindar S. Sohi, Professor, Computer Sciences Parameswaran Ramanathan, Professor, Electrical and Computer Engineering Jing Li, Assistant Professor, Electrical and Computer Engineering Aws Albarghouthi, Assistant Professor, Computer Sciences © Copyright by Dibakar Gope 2017 All Rights Reserved i This thesis is dedicated to my parents, Monoranjan Gope and Sati Gope. ii acknowledgments First and foremost, I would like to thank my parents, Sri Monoranjan Gope, and Smt. Sati Gope for their unwavering support and encouragement throughout my doctoral studies which I believe to be the single most important contribution towards achieving my goal of receiving a Ph.D. Second, I would like to express my deepest gratitude to my advisor Prof. Mikko Lipasti for his mentorship and continuous support throughout the course of my graduate studies. I am extremely grateful to him for guiding me with such dedication and consideration and never failing to pay attention to any details of my work. His insights, encouragement, and overall optimism have been instrumental in organizing my otherwise vague ideas into some meaningful contributions in this thesis. This thesis would never have been accomplished without his technical and editorial advice. I find myself fortunate to have met and had the opportunity to work with such an all-around nice person in addition to being a great professor.
  • Building Useful Program Analysis Tools Using an Extensible Java Compiler

    Building Useful Program Analysis Tools Using an Extensible Java Compiler

    Building Useful Program Analysis Tools Using an Extensible Java Compiler Edward Aftandilian, Raluca Sauciuc Siddharth Priya, Sundaresan Krishnan Google, Inc. Google, Inc. Mountain View, CA, USA Hyderabad, India feaftan, [email protected] fsiddharth, [email protected] Abstract—Large software companies need customized tools a specific task, but they fail for several reasons. First, ad- to manage their source code. These tools are often built in hoc program analysis tools are often brittle and break on an ad-hoc fashion, using brittle technologies such as regular uncommon-but-valid code patterns. Second, simple ad-hoc expressions and home-grown parsers. Changes in the language cause the tools to break. More importantly, these ad-hoc tools tools don’t provide sufficient information to perform many often do not support uncommon-but-valid code code patterns. non-trivial analyses, including refactorings. Type and symbol We report our experiences building source-code analysis information is especially useful, but amounts to writing a tools at Google on top of a third-party, open-source, extensible type-checker. Finally, more sophisticated program analysis compiler. We describe three tools in use on our Java codebase. tools are expensive to create and maintain, especially as the The first, Strict Java Dependencies, enforces our dependency target language evolves. policy in order to reduce JAR file sizes and testing load. The second, error-prone, adds new error checks to the compilation In this paper, we present our experience building special- process and automates repair of those errors at a whole- purpose tools on top of the the piece of software in our codebase scale.
  • Codesonar the SAST Platform for Devsecops

    Codesonar the SAST Platform for Devsecops

    DATASHEET CodeSonar The SAST Platform for DevSecOps Accelerate Application Security Software teams are under constant pressure to deliver more content with higher complexity, in shorter timeframes, with increased quality and security. Static Application Security Testing is a proven best practice to help software teams deliver the best code in the shortest timeframe. GrammaTech has been a leader in this field for over 15 years with CodeSonar delivering multi-language SAST capabilities for enterprises where software quality and software security matter. DevSecOps - Speed and Scale Language Support Software developers need rapid feedback on security CodeSonar supports many popular languages, including vulnerabilities in their code. CodeSonar can be integrated into C/C++, Java, C# and Android, as well as support for native software development environments, works unobtrusively to binaries in Intel, Arm and PowerPC instruction set architectures. the developer and provides rapid feedback. CodeSonar also supports OASIS SARIF, for exchange of information with other tools in the DevSecOps environment. Examples of Defects Detected • Buffer over- and underruns • Cast and conversion problems • Command injection • Copy-paste error • Concurrency • Ignored return value • Memory leak • Tainted data • Null pointer dereference • Dangerous function • Unused parameter / value And hundreds more Security Quality Privacy Broad coverage of security vulnerabilities, Integration into DevSecOps to improve Checkers that detect performance including OWASP Top10, SANS/CWE 25. quality of the code and developer impacts such as unnecessary test for Support for third party applications efficiency. Find code quality and nullness, creation of redundant objects or through byte code analysis. performance issues at speed. superfluous memory writes. Team Support Built In CodeSonar is designed to support large teams.